Linux bluetooth development
 help / color / mirror / Atom feed
* [PATCH] Bluetooth: MGMT: Fix ADD_EXT_ADV_DATA rollback of committed instances
@ 2026-07-03  6:00 Cen Zhang
  2026-07-03  6:41 ` bluez.test.bot
  0 siblings, 1 reply; 2+ messages in thread
From: Cen Zhang @ 2026-07-03  6:00 UTC (permalink / raw)
  To: Marcel Holtmann, Luiz Augusto von Dentz
  Cc: linux-bluetooth, baijiaju1990, zzzccc427

add_ext_adv_data() uses clear_new_instance to roll back failures after
preparing advertising data. That path is valid for a newly created pending
instance, but a malformed ADD_EXT_ADV_DATA request can also reach it for
an already committed advertising instance. In that case clear_new_instance
frees the live adv_info while hci_cmd_sync_work() may still be using it.

The buggy scenario involves two paths, with each column showing the order
within that path:

  advertising enable path:           ADD_EXT_ADV_DATA error path:
  1. look up the committed adv_info  1. accept an update for that instance
  2. wait for the controller         2. hit clear_new_instance on failure
     response                        3. remove and free the live adv_info
  3. resume and access adv_info

Validation reproduced this kernel report:
BUG: KASAN: slab-use-after-free in hci_enable_ext_advertising_sync+0x99/0x190 [bluetooth]
Read of size 1 at addr ffff888104e3f010 by task kworker/u17:1/2502
Workqueue: hci0 hci_cmd_sync_work [bluetooth]

Call Trace:
 <TASK>
 dump_stack_lvl+0x66/0xa0
 print_report+0xce/0x5f0
 ? hci_enable_ext_advertising_sync+0x99/0x190 [bluetooth]
 ? __virt_addr_valid+0x19f/0x330
 ? hci_enable_ext_advertising_sync+0x99/0x190 [bluetooth]
 kasan_report+0xe0/0x110
 ? hci_enable_ext_advertising_sync+0x99/0x190 [bluetooth]
 ? __pfx_add_ext_adv_data_sync+0x10/0x10 [bluetooth]
 hci_enable_ext_advertising_sync+0x99/0x190 [bluetooth]
 ? __pfx_hci_enable_ext_advertising_sync+0x10/0x10 [bluetooth]
 hci_cmd_sync_work+0x187/0x210 [bluetooth]
 process_one_work+0x4fd/0xbc0
 worker_thread+0x2d8/0x570
 kthread+0x1ad/0x1f0
 ret_from_fork+0x3c9/0x540
 ret_from_fork_asm+0x1a/0x30

Allocated by task 2515:
 kasan_save_stack+0x33/0x60
 kasan_save_track+0x17/0x60
 __kasan_kmalloc+0xaa/0xb0
 hci_add_adv_instance+0x35d/0x440 [bluetooth]
 add_ext_adv_params+0x291/0x510 [bluetooth]
 hci_sock_sendmsg+0x96b/0xf80 [bluetooth]
 __sys_sendto+0x2bc/0x2d0
 __x64_sys_sendto+0x76/0x90
 do_syscall_64+0x115/0x6a0
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 2515:
 kasan_save_stack+0x33/0x60
 kasan_save_track+0x17/0x60
 kasan_save_free_info+0x3b/0x60
 __kasan_slab_free+0x5f/0x80
 kfree+0x313/0x590
 hci_remove_adv_instance+0x130/0x1b0 [bluetooth]
 add_ext_adv_data+0x263/0x640 [bluetooth]
 hci_sock_sendmsg+0x96b/0xf80 [bluetooth]
 __sys_sendto+0x2bc/0x2d0
 __x64_sys_sendto+0x76/0x90
 do_syscall_64+0x115/0x6a0
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Only pending instances should be rolled back from ADD_EXT_ADV_DATA
failures. Leave committed instances in place so queued controller work
cannot retain a freed adv_info pointer.

Fixes: 12410572833a2 ("Bluetooth: Break add adv into two mgmt commands")
Assisted-by: Codex:gpt-5.5
Signed-off-by: Cen Zhang <zzzccc427@gmail.com>
---
 net/bluetooth/mgmt.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 733a4b70e10c..a4126d616efa 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -9220,7 +9220,8 @@ static int add_ext_adv_data(struct sock *sk, struct hci_dev *hdev, void *data,
 	goto unlock;
 
 clear_new_instance:
-	hci_remove_adv_instance(hdev, cp->instance);
+	if (adv_instance->pending)
+		hci_remove_adv_instance(hdev, cp->instance);
 
 unlock:
 	hci_dev_unlock(hdev);
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* RE: Bluetooth: MGMT: Fix ADD_EXT_ADV_DATA rollback of committed instances
  2026-07-03  6:00 [PATCH] Bluetooth: MGMT: Fix ADD_EXT_ADV_DATA rollback of committed instances Cen Zhang
@ 2026-07-03  6:41 ` bluez.test.bot
  0 siblings, 0 replies; 2+ messages in thread
From: bluez.test.bot @ 2026-07-03  6:41 UTC (permalink / raw)
  To: linux-bluetooth, zzzccc427

[-- Attachment #1: Type: text/plain, Size: 2184 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1120898

---Test result---

Test Summary:
CheckPatch                    PASS      0.60 seconds
VerifyFixes                   PASS      0.10 seconds
VerifySignedoff               PASS      0.10 seconds
GitLint                       FAIL      0.26 seconds
SubjectPrefix                 PASS      0.09 seconds
BuildKernel                   PASS      25.29 seconds
CheckAllWarning               PASS      27.74 seconds
CheckSparse                   PASS      26.35 seconds
BuildKernel32                 PASS      24.46 seconds
CheckKernelLLVM               SKIP      0.00 seconds
TestRunnerSetup               PASS      461.39 seconds
TestRunner_mgmt-tester        FAIL      220.05 seconds
TestRunner_mesh-tester        FAIL      25.86 seconds
IncrementalBuild              PASS      23.79 seconds

Details
##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
Bluetooth: MGMT: Fix ADD_EXT_ADV_DATA rollback of committed instances

19: B1 Line exceeds max length (89>80): "BUG: KASAN: slab-use-after-free in hci_enable_ext_advertising_sync+0x99/0x190 [bluetooth]"
##############################
Test: CheckKernelLLVM - SKIP
Desc: Build kernel with LLVM + context analysis
Output:
Clang not found
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4

Failed Test Cases
Read Exp Feature - Success                           Failed       0.247 seconds
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0

Failed Test Cases
Mesh - Send cancel - 1                               Timed out    2.399 seconds
Mesh - Send cancel - 2                               Timed out    1.990 seconds


https://github.com/bluez/bluetooth-next/pull/390

---
Regards,
Linux Bluetooth


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-07-03  6:41 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-03  6:00 [PATCH] Bluetooth: MGMT: Fix ADD_EXT_ADV_DATA rollback of committed instances Cen Zhang
2026-07-03  6:41 ` bluez.test.bot

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox